Debian 9858 Published by

The following updates has been released for Debian GNU/Linux 7 LTS:

DLA 1234-2: gdk-pixbuf regression update
DLA 1236-1: plexus-utils security update
DLA 1237-1: plexus-utils2 security update
DLA 1238-1: awstats security update



DLA 1234-2: gdk-pixbuf regression update




Package : gdk-pixbuf
Version : 2.26.1-1+deb7u8
Debian Bug : 886721

The patch introduced in DLA-1234-1 had a problem that caused
gdk-pixbuf's gif module to fail to load.

For Debian 7 "Wheezy", these problems have been fixed in version
2.26.1-1+deb7u8.

We recommend that you upgrade your gdk-pixbuf packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1236-1: plexus-utils security update




Package : plexus-utils
Version : 1:1.5.15-4+deb7u1
CVE ID : CVE-2017-1000487

Charles Duffy discovered that the Commandline class in plexus-utils, a
collection of components used by Apache Maven, does not correctly
quote the contents of double-quoted strings. An attacker may use this
flaw to inject arbitrary shell commands.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.5.15-4+deb7u1.

We recommend that you upgrade your plexus-utils packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1237-1: plexus-utils2 security update




Package : plexus-utils2
Version : 2.0.5-1+deb7u1
CVE ID : CVE-2017-1000487

Charles Duffy discovered that the Commandline class in plexus-utils2, a
collection of components used by Apache Maven, does not correctly
quote the contents of double-quoted strings. An attacker may use this
flaw to inject arbitrary shell commands.

For Debian 7 "Wheezy", these problems have been fixed in version
2.0.5-1+deb7u1.

We recommend that you upgrade your plexus-utils2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS






DLA 1238-1: awstats security update




Package : awstats
Version : 7.0~dfsg-7+deb7u1
CVE ID : CVE-2017-1000501
Debian Bug : 885835

Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the
handling of the "config" and "migrate" parameters resulting in unauthenticated
remote code execution.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0~dfsg-7+deb7u1.

We recommend that you upgrade your awstats packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS